Consultation outcome

Government response to consultation on the revised Interception of Communications code of practice (accessible)

Updated 17 October 2022

This was published under the 2019 to 2022 Johnson Conservative government

October 2022

Ministerial foreword

The Investigatory Powers Act 2016 (IPA / the Act) provides a regulatory framework for the use and oversight of investigatory powers, to ensure that the powers are used by law enforcement and the security and intelligence agencies in a lawful way that is compliant with the UK’s obligations under the European Convention on Human Rights (ECHR).

This involves ensuring that the use of the powers is always closely supervised and constantly reassessed to ensure that what is being done is justified.

The IPA incorporates a number of important safeguards to guard against arbitrary or excessive use of the powers, including a strict authorisation framework and provision for independent oversight and review of the use of the powers.

Section 4 of the IPA states that a person intercepts a communication in the course of its transmission by means of a telecommunication system if they perform a relevant act in relation to the system and the effect of that act is to make any content of the communication available at a relevant time to a person who is not the sender or intended recipient of the communication.

The use of interception is key to protecting national security and fighting serious crime. It allows investigators to gain an insight into the criminal and terrorist organisations they are targeting.

For decades, interception has played a crucial role in preventing, and securing prosecutions for, serious crimes including terrorism, drugs and firearms offences, as well as child sexual exploitation and abuse. This has included helping to identify and disrupt many of the terrorist plots that have been prevented.

The IPA is supplemented by the Interception code of practice which provides detailed, comprehensive guidance and best practice on the use of Interception.

It is intended to guide law enforcement agencies, the security and intelligence agencies and other public authorities who exercise such powers. It sets out additional safeguards as to how the powers already in primary legislation should be exercised and the duties performed.

The Interception code of practice was issued in 2018 and on 21 July 2022 the government published a consultation on the revised Interception code which ran for 8 weeks, concluding on 15 September 2022. The revised Interception code which we consulted on has been updated to reflect HMG’s position on cloud-service providers, the enterprise services they provide to customers, and the circumstances in which an intercepting authority should serve a warrant on either the cloud-service provider or the enterprise customer.

I am grateful for the response that the Home Office received and we have given careful consideration to it. That is why we have included further guidance in the revised Interception code on the circumstances in which an intercepting authority should serve a warrant on the cloud service provider or the enterprise customer.

These changes will bring much needed clarity for US communications service providers (CSPs) and UK telecommunications operators (TOs) who are impacted by enterprise service issues. The Investigatory Powers Commissioner (IPC) continues to oversee the use of the powers to which this code applies, and adherence to the practices and processes described in it. The government will also continue to keep under review the operation of the Interception code.

The Rt. Hon Tom Tugendhat MBE MP

Minister of State for Security

Executive summary

The revised Interception code is intended to provide clarity to intercepting authorities, cloud service providers and their enterprise customers regarding the circumstances in which an intercepting authority should serve a warrant on either the cloud-service provider or the enterprise customer. It is important to note that the revised Interception code does not change our policy or the legislative provisions concerning interception.

As part of our wider engagement with public authorities and interested parties on the preparation of this revised Interception code we carried out a public consultation between July 2022 and September 2022. We have since given careful consideration to the one response received and have made further minor amendments to the revised code, the new text will be inserted into Chapter 7 of the revised Interception code.

Background

Investigatory Powers Act 2016 – Interception of Communications code of practice

The Interception of Communications code of practice provides guidance on the procedures that must be followed in relation to the interception of communications and/or the obtaining of secondary data under the IPA. This code of practice is primarily intended for use by those public authorities listed in section 18 of the Act as well as postal and telecommunications operators and other interested bodies to understand the procedures to be followed.

Devolved administrations

Where there are limits on the application of the revised Interception code to Scotland and Northern Ireland (or alternative domestic provision), this is stated in the code.

Public consultation on the revised Interception code

The codes of practice issued under the IPA– including the Interception code - may be revised, for example to take account of changes in policy or because of new and emerging technology. The government (as statutorily required) published a draft revised Interception code before laying it in Parliament.

On 21 July 2022, the Home Office launched a public consultation for a period of 8 weeks to seek views on the changes to the draft revised Interception code that concluded on 15 September 2022.

The Home Office has now analysed and given careful consideration to the consultation response received, and a summary of those considerations are provided in the “Responses” section of this document (below).

As well as the formal public consultation, the draft revised Interception code has been prepared with input from the independent Investigatory Powers Commissioner’s Office, the intelligence services, law enforcement agencies, and other public authorities.

The government will publish the latest version of the revised Interception code on the GOV.UK website. This is to ensure that it is readily accessible when it comes into force.

Overview of the consultation responses

Table of respondents

The following table lists the responses that we received during the consultation.

Nature of response Number of responses
Members of public 0
Legal representatives 0
Oversight bodies 0
Public authorities 0
Other bodies 1

In total, we received one response to the public consultation from one US CSP. The Home Office has carefully considered all comments and suggestions made. The primary focus was on clarifying the circumstances in which an intercepting authority should serve a warrant on the cloud service provider or enterprise.

We are grateful to the CSP who took time to responded and share their views on the draft revised code.

The next section below highlights the main changes suggested by the CSP who responded. We have carefully considered the response and have made changes to the revised Interception code where appropriate.

The key changes we have made in response to the consultation are set out in the ‘Summary of the Consultation Responses’ section below.

Summary of the consultation responses

We have summarised the main response that we received following the formal public consultation below.

A CSP suggested the following amendments to the proposed revision to the code in respect of the circumstances in which an intercepting authority should serve a warrant on the cloud service provider or enterprise:

  • amending the first paragraph of the proposed section on cloud service providers to capture how UK principles of data controller/processor and necessity and proportionality are consistent with the guidance outlined in the Interception code

  • consolidating portions of the text related to technical feasibility to more clearly illustrate the example provided

  • technical edits to align the guidance with the suggestions above and for consistency

Government response

The government assess that the principles of necessity and proportionality are already captured within the IPA and the Interception code of practice, as the intercepting authority would not be seeking an interception warrant if it was not necessary and proportionate.

Further to this, it is not appropriate to outline the requirements of a data controller/processor within the Interception code as these requirements relate to the data protection regime, rather than the IPA. The government has therefore omitted these amendments from the revised Interception code.

For the wider amendments, the government agrees that the proposals around consolidating portions of the text relating to technical feasibility and technical edits to align the relevant text provided clarity and consistency, and these have therefore have been incorporated into the revised Interception code.

Other changes made to proposed revisions to the code

We have also made three additional changes to clarify the guidance set out in the revised code and as a result of further engagement with stakeholders.

These reflect that:

  • the intercepting authority may opt not to serve a warrant on the enterprise if to do so would compromise national security

  • in urgent circumstances the intercepting authority may seek to serve a warrant directly on the cloud service provider if the enterprise has not responded to the original warrant within a reasonable timeframe

  • the enterprise should be aware of its duty not to make an unauthorised disclosure in respect of the warrant

These changes are intended to provide further examples of the circumstances under which a warrant may be served on a cloud service provider instead of an enterprise, and outline the obligations of the IPA regarding unauthorised disclosure.

The new text will be inserted into Chapter 7 of the revised Interception code.

Next steps

The published revised Interception of Communications code of practice must be laid before both Houses of Parliament, along with the draft Investigatory Powers (Covert Human Intelligence Sources and Interception: Codes of Practice) Regulations 2022.

Before the draft statutory instrument is made, it must be debated and approved by a resolution of both Houses. We will shortly lay the draft regulations and the revised Interception code before Parliament to begin that process.

We anticipate that the draft regulations and the revised Interception code will come into force later this year.